Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AnalyticsHealthAudit.json

1997 строки
77 KiB
JSON
Исходник Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "46c56e28-782c-460a-92a2-2537d1f0a231",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "589770ff-4a35-409b-890c-3ed910fa7750",
"version": "KqlParameterItem/1.0",
"name": "InternalWSs",
"type": 1,
"isRequired": true,
"query": "SecurityIncident\r\n| take 1\r\n| parse IncidentUrl with * \"/workspaces/\" Workspace \"/\" *\r\n| project Workspace",
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "f5bac3e6-e933-4d14-9797-8e22510db74b",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| distinct subscriptionId, location\r\n| summarize by value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\r\n| order by value asc\r\n",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "2d857f74-6e2b-4c95-a8ef-23f9c8d69607",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' \r\n| parse name with \"SecurityInsights(\" label \")\" \r\n| project id = tostring(properties.workspaceResourceId), label, selected = iff(label =~ '{InternalWSs}', true, false)",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "ab972580-f202-4006-ac44-eef045622963",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 604800000
}
},
{
"id": "61ddad88-c141-4879-809e-e71f2043c602",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": []
},
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\" }]",
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "f3ed922e-ec9e-41c7-a949-301771d7a1e7",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "eb226fe9-f6d6-4fcf-bc8a-24490852ba88",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Health",
"subTarget": "Health",
"style": "link"
},
{
"id": "437dce74-d304-41ad-95fe-cfe79c5bcd4a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Audit",
"subTarget": "Audit",
"style": "link"
}
]
},
"name": "links - 0"
},
{
"type": 1,
"content": {
"json": "## Health Summary"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "text - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "The charts below illustrate the status of analytics rule run for the time range: **{TimeRange:label}** and workspace(s): **{Workspace:label}**",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
"size": 0,
"title": "Analytics rule run by Status over time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Success",
"color": "greenDark"
},
{
"seriesName": "Informational",
"color": "blue"
},
{
"seriesName": "Failure",
"color": "redBright"
},
{
"seriesName": "Warning",
"color": "yellow"
}
]
}
},
"customWidth": "65",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize count() by Status",
"size": 0,
"title": "Analytics rule run by Status",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Success",
"color": "greenDark"
},
{
"seriesName": "Informational",
"color": "blue"
},
{
"seriesName": "Failure",
"color": "redBright"
},
{
"seriesName": "Warning",
"color": "yellow"
}
]
}
},
"customWidth": "35",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| distinct SentinelResourceId\r\n| count \r\n| extend title = \"Total running Unique rule\"",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"min": 0,
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "15",
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": ""
},
"customWidth": "70",
"name": "text - 6"
},
{
"type": 1,
"content": {
"json": "Review the list of unique reason(s) generated in your environment and examine analytic rule(s) with 'Failure' and 'Warning' occurence.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| summarize Count=count() by Reason, Status",
"size": 1,
"title": "Analytics health summary by Reason",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Reason",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "75ch"
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "14ch"
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"min": -100,
"palette": "green",
"customColumnWidthSetting": "18ch"
}
}
]
}
},
"customWidth": "60",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in (\"Failure\",\"Warning\")\r\n| summarize RunCount=count() by SentinelResourceId, RuleName=SentinelResourceName,Status\r\n| order by RunCount desc, Status asc",
"size": 1,
"title": "Analytics rule with Failure and Warning occurence",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "SentinelResourceId",
"formatter": 5
},
{
"columnMatch": "RuleName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "44ch"
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "11ch"
}
},
{
"columnMatch": "RunCount",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "lightBlue",
"customColumnWidthSetting": "14ch"
}
},
{
"columnMatch": "SentinelResourceName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "46ch"
}
}
]
}
},
"customWidth": "40",
"name": "query - 6"
},
{
"type": 1,
"content": {
"json": "The table below shows a list of rule(s) with 'Failure' and 'Warning' status (if any).\r\n<br>\r\nYou can lookup for a specific event by using the Search field.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where OperationName in (\"Scheduled analytics rule run\",\"NRT analytics rule run\")\r\n| where Status in ('Failure', 'Warning')\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Description, Reason, Type=SentinelResourceKind\r\n| order by TimeGenerated desc",
"size": 0,
"title": "Failure and Warning event",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "24ch"
}
},
{
"columnMatch": "RuleName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "48ch"
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "13ch"
}
},
{
"columnMatch": "Description",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "44ch"
}
},
{
"columnMatch": "Reason",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "44ch"
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "12ch"
}
}
],
"filter": true
}
},
"name": "query - 5"
},
{
"type": 1,
"content": {
"json": "---\r\n</br>\r\n\r\n## Audit Summary\r\n</br>"
},
"name": "text - 7"
},
{
"type": 1,
"content": {
"json": "The charts below illustrate analytic rule activity for the time range: **{TimeRange:label}** and workspace(s): **{Workspace:label}**",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description, bin(TimeGenerated,1h)",
"size": 0,
"title": "Analytics rule audit by Activity over time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Create or update analytics rule.",
"color": "blue"
},
{
"seriesName": "Analytics rule deleted",
"color": "red"
}
]
}
},
"customWidth": "65",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| summarize count() by Description",
"size": 0,
"title": "Analytics rule audit by Activity",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Create or update analytics rule.",
"color": "blue"
},
{
"seriesName": "Analytics rule deleted",
"color": "red"
}
]
}
},
"customWidth": "35",
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "The table below shows a list of rule(s) with activity performed (if any).\r\nYou can lookup for a specific event by using the Search field.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Data = (\r\n_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n);\r\nlet Total = (\r\nData\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n);\r\nlet Activity = (\r\nData\r\n| summarize Count=count() by SentinelResourceId, Description\r\n| extend bag = bag_pack(Description,Count) \r\n| project-away Description, Count\r\n| summarize obj_bag = make_bag(bag) by SentinelResourceId\r\n| evaluate bag_unpack(obj_bag)\r\n);\r\nTotal | join kind=inner Activity on SentinelResourceId\r\n| project-away SentinelResourceId1\r\n",
"size": 0,
"title": "Analytics rule audit by activity volume",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "SentinelResourceId",
"formatter": 5
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
},
{
"columnMatch": "TotalEvents",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "purple"
}
},
{
"columnMatch": "Analytics rule deleted",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "lightBlue",
"customColumnWidthSetting": "28ch"
}
},
{
"columnMatch": "Create or update analytics rule.",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "lightBlue",
"customColumnWidthSetting": "32ch"
}
}
],
"filter": true
}
},
"name": "query - 10"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Overview"
},
"customWidth": "100",
"name": "group - Overview"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Analytics Health",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "edbcfa44-f6d8-4c72-ad59-0db39294b0ea",
"version": "KqlParameterItem/1.0",
"name": "Status",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "",
"showDefault": false
},
"jsonData": "[{ \"value\": \"Success\", \"label\": \"Success\"},\r\n { \"value\": \"Failure\", \"label\": \"Failure\"},\r\n { \"value\": \"Warning\", \"label\": \"Warning\"},\r\n { \"value\": \"Informational\", \"label\": \"Informational\"}\r\n]",
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::all"
},
{
"id": "4b501fb5-c36d-4e35-a1c5-7366705ac6d9",
"version": "KqlParameterItem/1.0",
"name": "RuleType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "",
"showDefault": false
},
"jsonData": "[{ \"value\": \"NRT\", \"label\": \"NRT\"},\r\n { \"value\": \"Scheduled\", \"label\": \"Scheduled\"}]",
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::all"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 1,
"content": {
"json": "The line chart below is Time Brush enabled.\r\n<br>\r\nYou can filter or narrow down the time range by 'brushing' a range of time in the chart. (To reset, click on 'reset the time range selection' icon on the top right corner of the chart).\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| summarize count() by Status, bin(TimeGenerated,1h)",
"size": 0,
"title": "Analytics rule run Trending over time",
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Success",
"color": "greenDark"
},
{
"seriesName": "Informational",
"color": "blue"
},
{
"seriesName": "Failure",
"color": "redBright"
}
]
}
},
"name": "query - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "2fdaa8bc-ad2a-4f35-be1c-e7bf20155df9",
"version": "KqlParameterItem/1.0",
"name": "Reason",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| distinct Reason",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrush",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize count() by Status",
"size": 4,
"title": "Analytics rule run by Status",
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Success",
"color": "greenDark"
},
{
"seriesName": "Failure",
"color": "redBright"
},
{
"seriesName": "Informational",
"color": "blue"
},
{
"seriesName": "Warning",
"color": "yellow"
}
]
}
},
"customWidth": "30",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Data =(\r\n_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nlet Total =(\r\nData\r\n| summarize Total=dcount(SentinelResourceId) by Status);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =dcount(SentinelResourceId) by Status);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =dcount(SentinelResourceId) by Status);\r\nunion Total, Scheduled, NRT\r\n| summarize Unique_Rule= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")\r\n",
"size": 4,
"title": "Number of unique rule by Rule type and Status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "StatusText",
"exportParameterName": "Status",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Unique_Rule",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "gray",
"customColumnWidthSetting": "40ch"
}
},
{
"columnMatch": "Scheduled",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "grayBlue",
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "NRT",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blueDarkDark",
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "StatusText",
"formatter": 5
},
{
"columnMatch": "Unique_Reason",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise"
}
}
]
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Status",
"formatter": 1
},
"centerContent": {
"columnMatch": "UniqueRule",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "70",
"name": "query - 6"
},
{
"type": 1,
"content": {
"json": "You can filter by the Status or Reason by clicking on an item in the charts below.\r\n<br>\r\nTo reset, click on 'clear selection' icon on the top right corner of the chart.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Unique_Reason=dcount(Reason) by Status\r\n| extend StatusText = strcat(\"'\",Status,\"'\")",
"size": 4,
"title": "Number of unique reason by Status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "StatusText",
"exportParameterName": "Status",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Unique_Reason",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "40ch"
}
},
{
"columnMatch": "StatusText",
"formatter": 5
}
]
}
},
"customWidth": "30",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| summarize Occurence=count(), Unique_Rule= dcount(SentinelResourceId) by Status,Reason\r\n| extend ReasonText = strcat(\"'\",Reason,\"'\")",
"size": 1,
"title": "Unique reason by Status",
"timeContextFromParameter": "TimeBrush",
"exportFieldName": "ReasonText",
"exportParameterName": "Reason",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Reason",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80ch"
}
},
{
"columnMatch": "Occurence",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "orange",
"customColumnWidthSetting": "27ch"
}
},
{
"columnMatch": "Unique_Rule",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "gray",
"customColumnWidthSetting": "27ch"
}
},
{
"columnMatch": "ReasonText",
"formatter": 5
}
]
}
},
"customWidth": "70",
"name": "query - 9"
},
{
"type": 1,
"content": {
"json": "💡 Click on a row in the grid below to drill-in further",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Data = ( \r\n_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n);\r\nData\r\n| summarize arg_max(TimeGenerated,*) by SentinelResourceId\r\n| project SentinelResourceId, SentinelResourceName,Type=SentinelResourceKind, LastStatus=Status,LastStatusDateTime=TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Success\"\r\n| make-series SuccessTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Failure\"\r\n| make-series FailureTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter (\r\nData\r\n| where Status ==\"Warning\"\r\n| make-series WarningTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| join kind= leftouter ( \r\nData\r\n| where Status ==\"Informational\"\r\n| make-series InformationalTrend = count() default =0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SentinelResourceId\r\n) on SentinelResourceId\r\n| project-away SentinelResourceId1, TimeGenerated\r\n| order by SentinelResourceName asc\r\n| project-rename RuleName=SentinelResourceName",
"size": 0,
"title": "Analytics rule by Status and Trending",
"timeContextFromParameter": "TimeBrush",
"exportedParameters": [
{
"fieldName": "SentinelResourceId",
"parameterName": "SentinelResourceId",
"parameterType": 1
},
{
"fieldName": "RuleName",
"parameterName": "RuleName",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "SentinelResourceId",
"formatter": 5
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "12ch"
}
},
{
"columnMatch": "LastStatus",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
],
"customColumnWidthSetting": "17ch"
}
},
{
"columnMatch": "LastStatusDateTime",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "SuccessTrend",
"formatter": 9,
"formatOptions": {
"palette": "green",
"customColumnWidthSetting": "160px"
}
},
{
"columnMatch": "FailureTrend",
"formatter": 9,
"formatOptions": {
"palette": "red",
"customColumnWidthSetting": "140px"
}
},
{
"columnMatch": "WarningTrend",
"formatter": 9,
"formatOptions": {
"palette": "yellow",
"customColumnWidthSetting": "140px"
}
},
{
"columnMatch": "InformationalTrend",
"formatter": 9,
"formatOptions": {
"palette": "blue",
"customColumnWidthSetting": "150px"
}
}
],
"filter": true,
"sortBy": [
{
"itemKey": "$gen_thresholds_LastStatus_3",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "$gen_thresholds_LastStatus_3",
"sortOrder": 2
}
]
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelHealth()\r\n| where SentinelResourceKind in ({RuleType})\r\n| where Status in ({Status})\r\n| where Reason in ({Reason})\r\n| where SentinelResourceId ==\"{SentinelResourceId}\"\r\n| project TimeGenerated, RuleName=SentinelResourceName, Status, Type=SentinelResourceKind, Description, Reason",
"size": 0,
"title": "Health details for Analytics rule : - {RuleName}",
"timeContextFromParameter": "TimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "Status",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Success",
"representation": "success",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Failure",
"representation": "failed",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Informational",
"representation": "1",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Warning",
"representation": "2",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": null,
"representation": "success",
"text": "{0}{1}"
}
]
}
}
],
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "SentinelResourceId",
"comparison": "isNotEqualTo"
},
"name": "query - 4"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Health"
},
"name": "group - Health"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "098b46a0-d08d-4d8d-87b6-9f73bcd3e80b",
"version": "KqlParameterItem/1.0",
"name": "AuditRuleType",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| distinct SentinelResourceKind",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"Scheduled"
]
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 1,
"content": {
"json": "The bar chart below is Time Brush enabled. <br>\r\nYou can filter or narrow down the time range by 'brushing' a range of time in the chart. (To reset, click on 'reset the time range selection' icon on the top right corner of the chart).",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| summarize count() by Description, bin(TimeGenerated,1h)\r\n",
"size": 0,
"title": "Analytics rule audit trending by activity",
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeBrushAudit",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"chartSettings": {
"xAxis": "TimeGenerated",
"seriesLabelSettings": [
{
"seriesName": "Create or update analytics rule.",
"color": "blue"
}
]
}
},
"name": "query - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "be787c74-b69c-47b5-93d4-18e1b8520a43",
"version": "KqlParameterItem/1.0",
"name": "Description",
"label": "Activity",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| distinct Description",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrushAudit",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "17ebef69-1c28-4452-b58d-76915a1e9680",
"version": "KqlParameterItem/1.0",
"name": "Caller",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| distinct Caller",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrushAudit",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "2988b87a-e357-497b-b9a9-3e6b3f0bcfef",
"version": "KqlParameterItem/1.0",
"name": "AuditSentinelResourceId",
"type": 2,
"isRequired": true,
"isGlobal": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| distinct SentinelResourceId",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeBrushAudit",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 1,
"content": {
"json": "You can filter by Activity by clicking on an item in the chart below. <br>\r\nTo reset, click on 'clear selection' icon on the top right corner of the chart.",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Data =(\r\n_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n);\r\nlet Total =(\r\nData \r\n| summarize Total=count() by Description);\r\nlet Scheduled=(\r\nData\r\n| where SentinelResourceKind == \"Scheduled\"\r\n| summarize Scheduled =count() by Description);\r\nlet NRT=(\r\nData\r\n| where SentinelResourceKind == \"NRT\"\r\n| summarize NRT =count() by Description);\r\nlet MLBehaviorAnalytics=(\r\nData\r\n| where SentinelResourceKind == \"MLBehaviorAnalytics\"\r\n| summarize MLBehaviorAnalytics =count() by Description);\r\nlet MicrosoftSecurityIncidentCreation=(\r\nData\r\n| where SentinelResourceKind == \"MicrosoftSecurityIncidentCreation\"\r\n| summarize MicrosoftSecurityIncidentCreation =count() by Description);\r\nlet ThreatIntelligence=(\r\nData\r\n| where SentinelResourceKind == \"ThreatIntelligence\"\r\n| summarize ThreatIntelligence =count() by Description);\r\nlet Fusion=(\r\nData\r\n| where SentinelResourceKind == \"Fusion\"\r\n| summarize Fusion =count() by Description);\r\nunion Total, Scheduled, NRT, MLBehaviorAnalytics, MicrosoftSecurityIncidentCreation, ThreatIntelligence, Fusion\r\n| summarize TotalEvents= sum(Total), Scheduled= sum(Scheduled), NRT=sum(NRT), MLBehaviorAnalytics=sum(MLBehaviorAnalytics), MicrosoftSecurityIncidentCreation= sum(MicrosoftSecurityIncidentCreation), ThreatIntelligence=sum(ThreatIntelligence), Fusion=sum(Fusion) by Description\r\n| extend DescriptionText = strcat(\"'\",Description,\"'\")\r\n",
"size": 1,
"title": "Number of audit event by Activity and Rule type",
"timeContextFromParameter": "TimeBrushAudit",
"exportFieldName": "DescriptionText",
"exportParameterName": "Description",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Description",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "46ch"
}
},
{
"columnMatch": "TotalEvents",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "magenta",
"customColumnWidthSetting": "30ch"
}
},
{
"columnMatch": "Scheduled",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"compositeBarSettings": {
"labelText": "",
"columnSettings": []
},
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "NRT",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "MLBehaviorAnalytics",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "23ch"
}
},
{
"columnMatch": "MicrosoftSecurityIncidentCreation",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "24ch"
}
},
{
"columnMatch": "ThreatIntelligence",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "Fusion",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "turquoise",
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "DescriptionText",
"formatter": 5
}
],
"sortBy": [
{
"itemKey": "Description",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "Description",
"sortOrder": 1
}
],
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Create or update analytics rule.",
"color": "blue"
}
]
}
},
"customWidth": "100",
"name": "query - 2"
},
{
"type": 1,
"content": {
"json": "💡 Click on a row in the grid below to drill-in further",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| where Caller in ({Caller})\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by SentinelResourceId, RuleName=SentinelResourceName, Type=SentinelResourceKind\r\n| extend AuditSentinelResourceIdText = strcat(\"'\",SentinelResourceId,\"'\")",
"size": 0,
"title": "Audit activity by Rule name",
"timeContextFromParameter": "TimeBrushAudit",
"exportedParameters": [
{
"fieldName": "AuditSentinelResourceIdText",
"parameterName": "AuditSentinelResourceId",
"parameterType": 1
},
{
"fieldName": "RuleName",
"parameterName": "AuditSelectedRuleName",
"parameterType": 1
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "SentinelResourceId",
"formatter": 5
},
{
"columnMatch": "RuleName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80ch"
}
},
{
"columnMatch": "Type",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "TotalEvents",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "purple"
}
},
{
"columnMatch": "AuditSentinelResourceIdText",
"formatter": 5
}
],
"filter": true
}
},
"customWidth": "55",
"name": "query - 4"
},
{
"type": 1,
"content": {
"json": ""
},
"customWidth": "5",
"name": "text - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| where SentinelResourceKind in ({AuditRuleType})\r\n| where Description in ({Description})\r\n| extend Caller= tostring(ExtendedProperties.CallerName)\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| summarize TotalEvents = count() by Caller\r\n",
"size": 4,
"title": "Audit activity by Caller",
"timeContextFromParameter": "TimeBrushAudit",
"exportFieldName": "Caller",
"exportParameterName": "Caller",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Caller",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "55ch"
}
},
{
"columnMatch": "TotalEvents",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "brown"
}
}
],
"filter": true
}
},
"customWidth": "35",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "_SentinelAudit()\r\n| where SentinelResourceType ==\"Analytic Rule\"\r\n| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)\r\n| where SentinelResourceId in ({AuditSentinelResourceId})\r\n| project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties",
"size": 0,
"title": "Audit activity for rule: - {AuditSelectedRuleName}",
"timeContextFromParameter": "TimeBrushAudit",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "AuditSelectedRuleName",
"comparison": "isNotEqualTo"
},
"name": "query - 7"
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "Audit"
},
"name": "group - Audit"
}
],
"fromTemplateId": "sentinel-AnalyticsHealthAudit",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку